diff --git a/audit-1.6.3-noretry.patch b/audit-1.6.3-noretry.patch deleted file mode 100644 index 7281395..0000000 --- a/audit-1.6.3-noretry.patch +++ /dev/null @@ -1,61 +0,0 @@ -diff -urp audit-1.6.2.orig/audisp/audispd.c audit-1.6.2/audisp/audispd.c ---- audit-1.6.2.orig/audisp/audispd.c 2007-10-17 13:56:22.000000000 -0400 -+++ audit-1.6.2/audisp/audispd.c 2007-10-17 14:13:49.000000000 -0400 -@@ -369,7 +369,6 @@ int main(int argc, char *argv[]) - conf = plist_get_cur(&plugin_conf); - while (conf) { - free_pconfig(conf->p); -- free(conf->p); - conf = plist_next(&plugin_conf); - } - plist_clear(&plugin_conf); -diff -urp audit-1.6.2.orig/lib/lookup_table.c audit-1.6.2/lib/lookup_table.c ---- audit-1.6.2.orig/lib/lookup_table.c 2007-10-17 13:56:22.000000000 -0400 -+++ audit-1.6.2/lib/lookup_table.c 2007-10-17 13:56:49.000000000 -0400 -@@ -483,7 +483,7 @@ int audit_name_to_msg_type(const char *m - strncpy(buf, msg_type + 8, len); - errno = 0; - return strtol(buf, NULL, 10); -- } else if (isdigit(msg_type)) { -+ } else if (isdigit(*msg_type)) { - errno = 0; - return strtol(msg_type, NULL, 10); - } -diff -urp audit-1.6.2.orig/lib/msg_typetab.h audit-1.6.2/lib/msg_typetab.h ---- audit-1.6.2.orig/lib/msg_typetab.h 2007-10-17 13:56:22.000000000 -0400 -+++ audit-1.6.2/lib/msg_typetab.h 2007-10-17 13:57:27.000000000 -0400 -@@ -92,7 +92,7 @@ _S(AUDIT_KERNEL_OTHER, "KE - _S(AUDIT_FD_PAIR, "FD_PAIR" ) - _S(AUDIT_OBJ_PID, "OBJ_PID" ) - _S(AUDIT_TTY, "TTY" ) --//_S(AUDIT_EOE, "EOE" ) -+_S(AUDIT_EOE, "EOE" ) - _S(AUDIT_AVC, "AVC" ) - _S(AUDIT_SELINUX_ERR, "SELINUX_ERR" ) - _S(AUDIT_AVC_PATH, "AVC_PATH" ) -diff -urp audit-1.6.2.orig/src/auditd.c audit-1.6.2/src/auditd.c ---- audit-1.6.2.orig/src/auditd.c 2007-10-17 13:56:22.000000000 -0400 -+++ audit-1.6.2/src/auditd.c 2007-10-17 13:59:32.000000000 -0400 -@@ -127,16 +127,18 @@ static void distribute_event(struct audi - - /* End of Event is for realtime interface - skip local logging of it */ - if (rep->reply.type != AUDIT_EOE) { -+ int yield = rep->reply.type <= AUDIT_LAST_DAEMON && -+ rep->reply.type >= AUDIT_FIRST_DAEMON ? 1 : 0; -+ - /* Write to local disk */ - enqueue_event(rep); -- if (rep->reply.type <= AUDIT_LAST_DAEMON && -- rep->reply.type >= AUDIT_FIRST_DAEMON) -+ if (yield) - pthread_yield(); /* Let other thread try to log it. */ - } - - /* Last chance to send...maybe the pipe is empty now. */ -- if (attempt) -- dispatch_event(&rep->reply, attempt); -+// if (attempt) -+// dispatch_event(&rep->reply, attempt); - } - - /* diff --git a/audit.spec b/audit.spec index 15cea13..9bdd31b 100644 --- a/audit.spec +++ b/audit.spec @@ -1,15 +1,16 @@ -%define sca_version 0.4.3 -%define sca_release 8 +%define sca_version 0.4.5 +%define sca_release 1 +%define selinux_variants mls strict targeted +%define selinux_policyver %(rpm -q selinux-policy | sed -e 's,^selinux-policy-\\([^/]*\\)$,\\1,') Summary: User space tools for 2.6 kernel auditing Name: audit -Version: 1.6.2 -Release: 4%{?dist} +Version: 1.6.3 +Release: 1%{?dist} License: GPLv2+ Group: System Environment/Daemons URL: http://people.redhat.com/sgrubb/audit/ Source0: %{name}-%{version}.tar.gz -Patch1: audit-1.6.3-noretry.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: gettext-devel intltool libtool swig python-devel BuildRequires: kernel-headers >= 2.6.18 @@ -55,6 +56,27 @@ Requires: %{name}-libs = %{version}-%{release} The audit-libs-python package contains the bindings so that libaudit and libauparse can be used by python. +%package -n audispd-plugins +Summary: Plugins for the audit event dispatcher +License: GPLv2+ +Group: System Environment/Daemons +BuildRequires: openldap-devel +BuildRequires: checkpolicy selinux-policy-devel +Requires: %{name} = %{version}-%{release} +Requires: %{name}-libs = %{version}-%{release} +Requires: openldap +%if "%{selinux_policyver}" != "" +Requires: selinux-policy >= %{selinux_policyver} +%endif +Requires(post): /usr/sbin/semodule /sbin/restorecon +Requires(postun): /usr/sbin/semodule + +%description -n audispd-plugins +The audispd-plugins package provides plugins for the real-time +interface to the audit system, audispd. These plugins can do things +like relay events to remote machines or analyze events for suspicious +behavior. + %package -n system-config-audit Summary: Utility for editing audit configuration Version: %{sca_version} @@ -64,27 +86,42 @@ Group: Applications/System Requires: pygtk2-libglade usermode usermode-gtk %description -n system-config-audit -An utility for editing audit configuration. +A graphical utility for editing audit configuration. %prep %setup -q -%patch1 -p1 +mkdir zos-remote-policy +cp -p audisp/plugins/zos-remote/policy/audispd-zos-remote.* zos-remote-policy %build (cd system-config-audit; ./autogen.sh) aclocal && autoconf && autoheader && automake %configure --sbindir=/sbin --libdir=/%{_lib} make +cd zos-remote-policy +for selinuxvariant in %{selinux_variants} +do + make NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile + mv audispd-zos-remote.pp audispd-zos-remote.pp.${selinuxvariant} + make NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile clean +done +cd - %install rm -rf $RPM_BUILD_ROOT mkdir -p $RPM_BUILD_ROOT/{sbin,etc/{sysconfig,audispd/plugins.d,rc.d/init.d}} -mkdir -p $RPM_BUILD_ROOT/%{_mandir}/man8 +mkdir -p $RPM_BUILD_ROOT/%{_mandir}/{man5,man8} mkdir -p $RPM_BUILD_ROOT/%{_lib} mkdir -p $RPM_BUILD_ROOT/%{_libdir}/audit mkdir -p $RPM_BUILD_ROOT/%{_var}/log/audit make DESTDIR=$RPM_BUILD_ROOT install make -C system-config-audit DESTDIR=$RPM_BUILD_ROOT install-fedora +for selinuxvariant in %{selinux_variants} +do + install -d $RPM_BUILD_ROOT/%{_datadir}/selinux/${selinuxvariant} + install -p -m 644 zos-remote-policy/audispd-zos-remote.pp.${selinuxvariant} \ + $RPM_BUILD_ROOT/%{_datadir}/selinux/${selinuxvariant}/audispd-zos-remote.pp +done mkdir -p $RPM_BUILD_ROOT/%{_libdir} # This winds up in the wrong place when libtool is involved @@ -112,16 +149,23 @@ touch -r ./audit.spec $RPM_BUILD_ROOT/etc/libaudit.conf %find_lang system-config-audit -# Remove the plugin stuff for now -rm -f $RPM_BUILD_ROOT/etc/audisp/plugins.d/au-ids.conf -rm -f $RPM_BUILD_ROOT/etc/audisp/plugins.d/remote.conf -rm -f $RPM_BUILD_ROOT/sbin/audisp-ids +#% check +#make check %clean rm -rf $RPM_BUILD_ROOT %post libs -p /sbin/ldconfig +%post -n audispd-plugins +for selinuxvariant in %{selinux_variants} +do + /usr/sbin/semodule -s $selinuxvariant \ + -i %{_datadir}/selinux/$selinuxvariant/audispd-zos-remote.pp \ + &> /dev/null || : +done +/sbin/restorecon -F /sbin/audispd-zos-remote /etc/audisp/zos-remote.conf + %post /sbin/chkconfig --add auditd if [ -f /etc/auditd.conf ]; then @@ -148,6 +192,14 @@ fi %postun libs /sbin/ldconfig 2>/dev/null +%postun -n audispd-plugins +if [ $1 -eq 0 ]; then + for selinuxvariant in %{selinux_variants} + do + /usr/sbin/semodule -s $selinuxvariant -r audispd-zos-remote &>/dev/null || : + done +fi + %postun if [ $1 -ge 1 ]; then /sbin/service auditd condrestart > /dev/null 2>&1 || : @@ -175,13 +227,20 @@ fi %defattr(-,root,root) %{_libdir}/python?.?/site-packages/_audit.so %{_libdir}/python?.?/site-packages/auparse.so +%{_libdir}/python?.?/site-packages/auparse-*.egg-info /usr/lib/python?.?/site-packages/audit.py* %files %defattr(-,root,root,-) %doc README COPYING ChangeLog contrib/capp.rules contrib/nispom.rules contrib/lspp.rules init.d/auditd.cron -%attr(0644,root,root) %{_mandir}/man8/* -%attr(0644,root,root) %{_mandir}/man5/* +%attr(644,root,root) %{_mandir}/man8/audispd.8.gz +%attr(644,root,root) %{_mandir}/man8/auditctl.8.gz +%attr(644,root,root) %{_mandir}/man8/auditd.8.gz +%attr(644,root,root) %{_mandir}/man8/aureport.8.gz +%attr(644,root,root) %{_mandir}/man8/ausearch.8.gz +%attr(644,root,root) %{_mandir}/man8/autrace.8.gz +%attr(644,root,root) %{_mandir}/man5/auditd.conf.5.gz +%attr(644,root,root) %{_mandir}/man5/audispd.conf.5.gz %attr(750,root,root) /sbin/auditctl %attr(750,root,root) /sbin/auditd %attr(755,root,root) /sbin/ausearch @@ -199,7 +258,19 @@ fi %config(noreplace) %attr(640,root,root) /etc/sysconfig/auditd %config(noreplace) %attr(640,root,root) /etc/audisp/audispd.conf %attr(640,root,root) /etc/audisp/plugins.d/af_unix.conf + +%files -n audispd-plugins +%defattr(-,root,root,-) %attr(640,root,root) /etc/audisp/plugins.d/syslog.conf +%attr(640,root,root) /etc/audisp/plugins.d/au-ids.conf +%attr(640,root,root) /etc/audisp/plugins.d/remote.conf +%attr(750,root,root) /sbin/audisp-ids +%attr(644,root,root) %{_mandir}/man8/audispd-zos-remote.8.gz +%attr(644,root,root) %{_mandir}/man5/zos-remote.conf.5.gz +%config(noreplace) %attr(640,root,root) /etc/audisp/plugins.d/audispd-zos-remote.conf +%config(noreplace) %attr(640,root,root) /etc/audisp/zos-remote.conf +%attr(750,root,root) /sbin/audispd-zos-remote +%attr(755,root,root) %{_datadir}/selinux/*/audispd-zos-remote.pp %files -n system-config-audit -f system-config-audit.lang %defattr(-,root,root,-) @@ -217,12 +288,15 @@ fi %config(noreplace) %{_sysconfdir}/security/console.apps/system-config-audit-server %changelog -* Wed Oct 17 2007 Steve Grubb 1.6.2-4 -- Fix race between threads accessing common data in auditd -- Fix double free in event dispatcher. - -* Fri Oct 5 2007 Steve Grubb 1.6.2-3 -- Fix syscall name to number conversion in libaudit. +* Thu Dec 27 2007 Steve Grubb 1.6.3-1 +- Add kernel release string to DEAMON_START events +- Fix keep_logs when num_logs option disabled (#325561) +- Fix auparse to handle node fields for syscall records +- Update system-config-audit to version 0.4.5 (Miloslav Trmac) +- Add keyword week-ago to aureport & ausearch start/end times +- Fix audit log permissions on rotate. If group is root 0400, otherwise 0440 +- Add RACF zos remote audispd plugin (Klaus Kiwi) +- Add event queue overflow action to audispd * Mon Oct 1 2007 Steve Grubb 1.6.2-2 - Don't retry if the rt queue is full. diff --git a/sources b/sources index 0aab50f..cea29a2 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -a95dbfa22e65669e4449f3accbe84aef audit-1.6.2.tar.gz +11f7c682093cea6aa6b2e6be93f9d0e3 audit-1.6.3.tar.gz